Stepping up e-commerce security measures
The first online shopping transaction took place in 1994. The following year, Amazon launched as an online bookstore, forever changing the e-commerce landscape. Fraudsters were quick to capitalize on the opportunities presented by this rapidly-growing sector, luring consumers to fake websites and harvesting credit card details. The move from magnetic stripe to EMV made card fraud at the point of purchase much harder, serving as another motivation for fraudsters already shifting their attention to the world of card-not-present commerce.
The industry began to recognize the need for stepping up security measures for online shopping. Visa initiated the development of a protocol that would add a security layer for online card transactions, partnering with Arcot Systems to develop a solution. In 2001, Verified by Visa, the first application of the 3D Secure protocol, was introduced. Mastercard followed with SecureCode in 2002, while JCB and American Express later launched J/Secure and American Express SafeKey respectively.
Good intentions: to protect consumers
Protecting against card-not-present fraud was 3D Secure’s raison d’etre but online shoppers were often too frustrated by the protocol to feel gratitude at its introduction. They found its activation and authentication processes – both their timing and design – especially irksome.
When it comes to online security, consumers are frequently warned to ensure that they only visit TLS-secured websites, especially when they are expected to enter personal information. But the pop-up screens or windows of 3D Secure show no address bar, making it very hard for consumers to tell where the pop-up window comes from or whether they are (still) using a secure site.
Another piece of advice consumers often hear is to be wary of sites that ask for passwords. In allowing activation during shopping, some issuing banks would ask consumers to choose a 3D Secure password the first time they shopped online, and then to enter the password when prompted to do so. Apart from the risk of consumers entering sensitive information into a phishing site, these less-than-perfect security measures also encourage unsafe online behavior. Consumers grow accustomed to entering sensitive information into a website or pop-up screen that they cannot be sure actually is their bank’s 3D Secure implementation, in essence ignoring online security best practices.
Strong payments security meets great UX
A new 3D Secure protocol, 3D Secure 2.0, was designed to address these security issues while going a long way towards solving a closely related problem with most existing implementations: a high degree of user friction.
Friction during the checkout process is one of the main factors contributing to shopping cart abandonment. It’s a huge concern for all stakeholders. Research indicates that 18% of shoppers abandon their carts due to friction in the checkout process.
The initial 3D Secure protocol had a number of factors that contributed to shoppers abandoning their carts. For consumers unfamiliar with the 3D Secure process, pop-up screens demanding sensitive information and passwords could easily be mistaken for a security threat, in which case the safest option would be to quit.
The requirement to input a static or one-time password – often forgotten in the case of the former, involving a clumsy juggling of devices in the case of the latter – sounded a distinctly false note at a sensitive point in the payment process. Add to that operational issues such as slow loading speeds for authentication pages, timeouts, device incompatibilities, and delayed one-time passwords, and it’s no wonder that 3D Secure became almost synonymous with friction.
3D Secure reimagined with RBA
The 3D Secure protocol was reimagined to keep up with changes in the digital commerce landscape, including that all-important factor: evolving consumer behavior. Given that the value of payments made on mobile devices is expected to reach US $4.6 trillion by 2025, optimizing 3D Secure for mobile devices was arguably the most crucial new requirement.
EMV 3D Secure, as 3D Secure 2.0 became known, boasts a number of improvements over the original protocol. The biggest improvements stem, to a large extent, from the standard’s greater reliance on risk-based authentication (RBA). Using contextual data, the risk of each transaction is determined, and the cardholder is only required to verify their identity when it is deemed high-risk. Termed “frictionless flow”, this approach promises to enhance the customer experience by allowing over 90% of transactions to be processed without user involvement.
EMV 3D Secure also adds a mobile software development kit component, making it easy for merchants to integrate 3D Secure into their mobile apps. Users of mobile apps can now authenticate their purchases in-app, rather than in browser-based pop-up windows.
Together, these changes to the user experience promise a significant decline in cart abandonment, which is bound to drive adoption even in regions where the payments networks have not mandated the introduction of the protocol.
Are you interested to learn more about RBA? Read our blog Demystifying risk-based authentication.
AI: The next UX frontier
In today’s financial services industry, survival of the fittest comes down to offering an engaging customer experience designed from the ground up for a digital world, while offering state-of-the-art security. At Entersekt, this has been our vision from the outset. We’ve seen our technology help wipe out fraud for our clients while providing their users with the control to seamlessly authenticate sensitive transactions. We’ve helped our clients innovate in a competitive payments market, allowing them to make their customers’ financial lives easier and safer.
Improve the digital payment user experience for your customers by taking control of the e-commerce experience. Download our 3D Secure ebook for more.
Entersekt’s 3D Secure solution marks yet another milestone in the evolution of the 3D Secure protocol: it leverage artificial intelligence to determine the risk associated with each transaction. That way, financial institutions know when to trigger additional authentication steps, helping boost transaction success rates.
